On 28/11/17 22:41, Kirk Hall via Public wrote: > Sorry, but your #2 below is wrong – James did leave a trace, his name > and address (and no, that’s not emotion talking, just facts). To my > knowledge, so has every EV cert holder – it’s way too much trouble to > establish a corporation (that’s real) using fake and untraceable > information,
You assert this, but it seems to me that James' blog post makes a good case for it not being true. If the QGIS does no vetting on the submitted identity details, I can use just about anyone's, from my grandmother's to ones bought for pennies on the dark web, and no-one will be any the wiser. All you need, as James says, is: "address, date of birth, nationality and 'three pieces of identifiable information'", which according to James' image are town of birth, mother's maiden name and eye colour, although it's far from clear that these values are validated so you probably don't need to find them out for the person whose identity you are stealing, you can just make them up. The fact that James did not go this route himself doesn't mean his demonstration has no value. Do you deny that it's pretty simple to find the name, address, DOB and nationality of a random person whose identity you want to borrow? > just to obtain and use a EV cert for that fake identity, which will then > be unusable as soon as the website has been tagged for fraud or > phishing. So you are saying it's OK to have a weak EV process, because Google Safe Browsing exists? > In contrast, anonymous, free, phishing DV certs Can we reduce or eliminate this focus on phishing? EV is, or should be, about more the just "anti-phishing". If everyone agrees that anti-phishing is all it's about, then perhaps I should file a bug to get the EV UI removed from Firefox, because I'm not convinced the SSL certificate level is the right place to be doing anti-phishing. (If you want an alternative scenario to use mentally, how about the scenario of a fly-by-night internet shop, set up with an EV certificate in the run-up to Christmas, which spends a week taking people's money and then disappears with it before people realise nothing is shipping.) Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
